Skip to content

cfsec

An ingress Network ACL rule allows ALL ports.

aquasecurity/cfsec

no-excessive-port-access

Explanation

Ensure access to specific required ports is allowed, and nothing else.

Possible Impact

All ports exposed for egressing data

Suggested Resolution

Set specific allowed ports

Insecure Example

The following example will fail the AVD-AWS-0102 check.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Bad example of excessive ports
Resources:
  NetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: "something"
  Rule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId:
        Ref: NetworkACL
      Protocol: -1

Secure Example

The following example will pass the AVD-AWS-0102 check.

---
AWSTemplateFormatVersion: 2010-09-09
Description: Godd example of excessive ports
Resources: 
  NetworkACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: "something"
  Rule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId:
        Ref: NetworkACL
      Protocol: 6

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html